Quantcast

Jump to content

» «
Photo

Ransomware question

15 replies to this topic
WildBrick142
  • WildBrick142

    GTAV Forum Leader

  • Leone Family Mafia
  • Joined: 18 Dec 2012
  • Ireland
  • Contribution Award [GTA V]

#1

Posted 14 June 2013 - 08:46 PM Edited by WildBrick142, 14 June 2013 - 08:58 PM.

I recently got a Ransomware virus and got rid of it successfully. I still have a feeling that malicious files are on my PC. My PC randomly makes noise as if it was attempting to run a program and the loading circle on my mouse randomly appears and vanishes. I'm scanning the PC with Malwarebytes for other files. Also, I have all stuff used in fake police image and hackers Java Installer saved onto AppData/Temp. I'm afraid to remove the folder in case there are important files there (Temporary but still there can be something.)

Right now the only files that were marked malicious was a bunch of programs that had nothing to do with it, skype.ini and a xYyMBSS.exe both which turn on the lock screen. I'm afraid that there are leftover keyloggers, rootkits, ransomwares, etc. hiding in my system. So, is it possible to track down all files without having to format the system?

Also, in the Temp folder there are fake Java installers that connect my PC with the virus uploaders. (java_install_sp.txt, JavaDeployReg.txt, jinstall.cfg, jusched.txt and unknown files named: oobelib.txt, swtag.txt and style.css, WER2C9B.tmp.resp.erc, amt3.txt, ~DF1760B92C41EDED64.TMP and FXSAPIDebugLogFile.txt) I'm scared to open any of these notepad files but they probably contain info on what is going on and BTW the fake Java installer gave me Ransomware.

PS: Sorry for being a PC noob and bothering you all with these questions.

sivispacem
  • sivispacem

    Faceless, Nameless, Endless War

  • Moderator
  • Joined: 14 Feb 2011
  • United-Kingdom
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2013, 2012, 2011

#2

Posted 14 June 2013 - 09:13 PM

Download Avast! Antivirus. Run a full scan and nuke anything it highlights. It's the best free AV programme in my view.
For extra security, you might want to run Kaspersky's TDSS Killer anti-rootkit and anti-bootkit utility. Even the best AV programmes struggle with things like TDL/TDSS which hide their components outside of the primary hard drive partition and therefore can't be examined properly. Or, worst of all, any that overwrites the Master Boot Record.

MBAM is good for generic ransomware, spyware and banking trojans, but can't even scratch the surface at rootkits or anything with a half-decent persistence mechanism.

WildBrick142
  • WildBrick142

    GTAV Forum Leader

  • Leone Family Mafia
  • Joined: 18 Dec 2012
  • Ireland
  • Contribution Award [GTA V]

#3

Posted 15 June 2013 - 12:05 AM Edited by WildBrick142, 15 June 2013 - 01:38 AM.

So I've been scanning for 2 hours already and nothing was found. ESET NOD32 thinks that Avast! .tmp files are virus. I still think that there is something though. If I will connect my portable hard drive, will it get affected? I want to make a backup because I think I will have to nuke my system.

sivispacem
  • sivispacem

    Faceless, Nameless, Endless War

  • Moderator
  • Joined: 14 Feb 2011
  • United-Kingdom
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2013, 2012, 2011

#4

Posted 15 June 2013 - 06:45 AM

ESET Nod32 has a reputation for producing false positives. However, you may be suffering from a file infector like Ramnit. These are particularly nasty little buggers which can infect and corrupt other executable files, so that even when the worm is removed it will impede the performance of the computer and cause BSODs, errors and all sorts of nasty stuff. For ultimate peace of mind, you should scan your hard drive in its entirety without having to actually boot windows- using a tool like Sophos bootable antivirus. Run this and it should pick up any residual infections even if they're hooked into system DLLs or reside outside the operating system partition.

Whether it finds anything or not, run Windows Repair before you nuke the thing- you might be able to restore full and normal operation without needing to reimage.

WildBrick142
  • WildBrick142

    GTAV Forum Leader

  • Leone Family Mafia
  • Joined: 18 Dec 2012
  • Ireland
  • Contribution Award [GTA V]

#5

Posted 15 June 2013 - 01:41 PM

That thing is back. I got Java error again and luckily Avast detected it.

Spuds725
  • Spuds725

    Party Animal

  • Moderator
  • Joined: 27 Sep 2003
  • United-States
  • Contribution Award [GTAF]

#6

Posted 15 June 2013 - 02:46 PM Edited by Spuds725, 15 June 2013 - 03:03 PM.

I'm don't consider myself an expert on this by far but listen to a weekly radio show out of Detroit Michigan called the Internet advisor-- (show has been on like 18 years)-- anyway on their website, one of the things they recommend is doing a system restore to prior the malware install--

The people on this show do this type of thing for a living... http://internetadvis...nd-antispyware/

From the above page---

QUOTE
Special Note: Remember If your computer appears to be infected the first step I perform is a Windows System Restore. A system restore will return your computers system files to a state recorded on a particlulare date and time you have selected.

The longer the virus, malware, or scare-ware is running the more deeply it can embed itself into your computer, even disabling the ability to install antivirus / antimalware scanners. When you perform a system restore the malicious files may still be on your computer but the modifications made by the virus that allows it to run when the computer starts up or the changes to critical system files will have be removed and restored. You need to still need to scan your computer after the system restore with an updated Anti-virus and / or Malware scanner.


Do you have a "system image restore point"-- if i understand them correctly, it should restore without the malware but any data file updates or whatnot since the image was created will be lost-- not as bad as a wipe/reinstall though.

HTH...

WildBrick142
  • WildBrick142

    GTAV Forum Leader

  • Leone Family Mafia
  • Joined: 18 Dec 2012
  • Ireland
  • Contribution Award [GTA V]

#7

Posted 15 June 2013 - 03:09 PM

The problem is that I dont know when virus got in the PC and that I dont have any restore points prior to June 14th (When my screen got locked)

Spuds725
  • Spuds725

    Party Animal

  • Moderator
  • Joined: 27 Sep 2003
  • United-States
  • Contribution Award [GTAF]

#8

Posted 15 June 2013 - 04:12 PM

QUOTE (WildBrick142 @ Saturday, Jun 15 2013, 11:09)
The problem is that I dont know when virus got in the PC and that I dont have any restore points prior to June 14th (When my screen got locked)

This was probably obvious to you but will throw this out there anyway just in case you missed it... when you open up system restore, by default-- it only shows the most recent restore point (I don't know why it would do this)-- but at the bottom, there is a tic box that says "show more restore points"-- if there is only one restore point shown then you need to allocate (in the future) more space.

Did you check out the link I posted above-- there are a few more scanners listed--

I do wish you luck-- wish I could be of more help--- I've been in your shoes before and had to do a system wipe/reinstall-- luckily we had a online carbonite backup of the data files-- this was a PC used for my wife's small business.

+++++

For you and anyone else out there that might read this-- in the future you might want to invest in a dedicated drive just for backup-- I bought a 1 TB drive for this and have my PC do a weekly backup system image--- yes it takes up alot of space but was well worth the $70 I spent on the drive (from a peace of mind aspect)--- I just checked and it has weekly system image restore points for each of the last 2 months (since I installed the drive)-- it is showing the backup taking up about 380GB on the 1 TB drive....

sivispacem
  • sivispacem

    Faceless, Nameless, Endless War

  • Moderator
  • Joined: 14 Feb 2011
  • United-Kingdom
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2013, 2012, 2011

#9

Posted 15 June 2013 - 08:32 PM

QUOTE (WildBrick142 @ Saturday, Jun 15 2013, 14:41)
That thing is back. I got Java error again and luckily Avast detected it.

When was this? Can you be a little clearer about how, why, and when? I'm not sure whether it's just the way you've phrased it, but it ready like you had no issues, you did something like visited the same compromised site that infected you in the first place, and your AV blocked it this time. Forgive me if I'm wrong, but that's a good thing?

Wolf68k
  • Wolf68k

    always howling

  • Members
  • Joined: 12 Mar 2003
  • None
  • Most Knowledgeable [Technology] 2013
    Best Contributor [Technology] 2012

#10

Posted 15 June 2013 - 10:32 PM

As much as I hate to say this, the best to thing to do is back up YOUR files some how and wipe the drive, and I do mean wipe not just let the OS installer do it, and install the OS fresh and clean.
The best way I know of to truly wipe the drive for your purposes is to use something like KillDisk which will write 0s to every single block. This will take a long time but it will result in a drive being as clean and empty as if you bought it (for the most part).

WildBrick142
  • WildBrick142

    GTAV Forum Leader

  • Leone Family Mafia
  • Joined: 18 Dec 2012
  • Ireland
  • Contribution Award [GTA V]

#11

Posted 16 June 2013 - 12:28 AM

QUOTE (sivispacem @ Saturday, Jun 15 2013, 20:32)
QUOTE (WildBrick142 @ Saturday, Jun 15 2013, 14:41)
That thing is back. I got Java error again and luckily Avast detected it.

When was this? Can you be a little clearer about how, why, and when? I'm not sure whether it's just the way you've phrased it, but it ready like you had no issues, you did something like visited the same compromised site that infected you in the first place, and your AV blocked it this time. Forgive me if I'm wrong, but that's a good thing?

On June 13th I got a random Bluescreen (See topic: "My PC randomly BSOD'ed")
Sometime around the same hour on June 14th, Java said my version is insecure and asked for permission to access a website which had "hack" in the url. I denied and 5 minutes later my screen got locked.
Now, yesterday, I got rid of it and later when I posted, Java said that update is recommended so I clicked block. Popped up again. Block. I blocked both popups because I was sure that it was trying to get me again. I wasn't even doing anything that needs Java. Now, I was looking at google about Java virus and official website said that this is hiding in C:\Documents and Settings\<username>\Application Data\Sun\Java\Deployment\cache. So I scanned "Deployment" with Avast and it caught two f*ckers that were used to download trojans on my PC.


QUOTE (Wolf68k @ Saturday, Jun 15 2013, 22:32)
As much as I hate to say this, the best to thing to do is back up YOUR files some how and wipe the drive, and I do mean wipe not just let the OS installer do it, and install the OS fresh and clean.
The best way I know of to truly wipe the drive for your purposes is to use something like KillDisk which will write 0s to every single block. This will take a long time but it will result in a drive being as clean and empty as if you bought it (for the most part).

That's what I want to do. I just need to know if my hard drive would get infected by remaining trojans/rootkits/spyware/malware and whatever other stuff there might be that is active.

sivispacem
  • sivispacem

    Faceless, Nameless, Endless War

  • Moderator
  • Joined: 14 Feb 2011
  • United-Kingdom
  • Contribution Award [D&D, General Chat]
    Most Knowledgeable [Vehicles] 2013
    Best Debater 2013, 2012, 2011

#12

Posted 16 June 2013 - 08:40 AM

QUOTE (WildBrick142 @ Sunday, Jun 16 2013, 01:28)
QUOTE (Wolf68k @ Saturday, Jun 15 2013, 22:32)
As much as I hate to say this, the best to thing to do is back up YOUR files some how and wipe the drive, and I do mean wipe not just let the OS installer do it, and install the OS fresh and clean.
The best way I know of to truly wipe the drive for your purposes is to use something like KillDisk which will write 0s to every single block. This will take a long time but it will result in a drive being as clean and empty as if you bought it (for the most part).

That's what I want to do. I just need to know if my hard drive would get infected by remaining trojans/rootkits/spyware/malware and whatever other stuff there might be that is active.

Avast! should block any malicious file transfer. If you're still having issues, this is the best course of action (as disclosed below)

unc13bud
  • unc13bud

    Weekend Answerer

  • Members
  • Joined: 05 Dec 2010
  • None

#13

Posted 17 June 2013 - 03:08 AM

QUOTE
As much as I hate to say this, the best to thing to do is back up YOUR files some how and wipe the drive, and I do mean wipe not just let the OS installer do it, and install the OS fresh and clean.
The best way I know of to truly wipe the drive for your purposes is to use something like KillDisk which will write 0s to every single block. This will take a long time but it will result in a drive being as clean and empty as if you bought it (for the most part).

best response in this thread, especially if the original poster was attacked by the "fbi moneypack" ransomware. and especially for people that keep their computers\internet on 24/7

Wolf68k
  • Wolf68k

    always howling

  • Members
  • Joined: 12 Mar 2003
  • None
  • Most Knowledgeable [Technology] 2013
    Best Contributor [Technology] 2012

#14

Posted 17 June 2013 - 05:02 PM

QUOTE (WildBrick142 @ Saturday, Jun 15 2013, 19:28)
[QUOTE=sivispacem,Saturday, Jun 15 2013, 20:32][QUOTE=Wolf68k,Saturday, Jun 15 2013, 22:32]As much as I hate to say this, the best to thing to do is back up YOUR files some how and wipe the drive, and I do mean wipe not just let the OS installer do it, and install the OS fresh and clean.
The best way I know of to truly wipe the drive for your purposes is to use something like KillDisk which will write 0s to every single block. This will take a long time but it will result in a drive being as clean and empty as if you bought it (for the most part).[/QUOTE]
That's what I want to do. I just need to know if my hard drive would get infected by remaining trojans/rootkits/spyware/malware and whatever other stuff there might be that is active.

If you let KillDisk or something else like it write over the whole drive with 1s and/or 0s then there's no way any trojan or rootkit or anything else can survive. And because you'll be restarting with a floppy, CD or USB that has the KillDisk (or the alike) on it and booting as the OS, not only does it make sure the bad guys on the drive can't live but also any bad guys that run from RAM can't exist either.
If you want to be 100% sure, go to another PC that's clean and use that to create the KillDisk disc.

WildBrick142
  • WildBrick142

    GTAV Forum Leader

  • Leone Family Mafia
  • Joined: 18 Dec 2012
  • Ireland
  • Contribution Award [GTA V]

#15

Posted 17 June 2013 - 06:22 PM

QUOTE (Wolf68k @ Monday, Jun 17 2013, 17:02)
[QUOTE=WildBrick142,Saturday, Jun 15 2013, 19:28] [QUOTE=sivispacem,Saturday, Jun 15 2013, 20:32][QUOTE=Wolf68k,Saturday, Jun 15 2013, 22:32]As much as I hate to say this, the best to thing to do is back up YOUR files some how and wipe the drive, and I do mean wipe not just let the OS installer do it, and install the OS fresh and clean.
The best way I know of to truly wipe the drive for your purposes is to use something like KillDisk which will write 0s to every single block. This will take a long time but it will result in a drive being as clean and empty as if you bought it (for the most part).[/QUOTE]
That's what I want to do. I just need to know if my hard drive would get infected by remaining trojans/rootkits/spyware/malware and whatever other stuff there might be that is active. [/QUOTE]
If you let KillDisk or something else like it write over the whole drive with 1s and/or 0s then there's no way any trojan or rootkit or anything else can survive. And because you'll be restarting with a floppy, CD or USB that has the KillDisk (or the alike) on it and booting as the OS, not only does it make sure the bad guys on the drive can't live but also any bad guys that run from RAM can't exist either.
If you want to be 100% sure, go to another PC that's clean and use that to create the KillDisk disc.

Thanks. Right now it is very quiet so I'll have the disk ready if something happens again.

WildBrick142
  • WildBrick142

    GTAV Forum Leader

  • Leone Family Mafia
  • Joined: 18 Dec 2012
  • Ireland
  • Contribution Award [GTA V]

#16

Posted 28 June 2013 - 12:20 AM

user posted image
So this Java thing is constantly returning. I scan and delete one guy and another ones return in a while. The screen shows: Name|Original Location|Last Changes|Transfer Time
I'm regularly scanning Deployment folder and it seems to get infected every few days. I'm planning to nuke down everything because it shouldn't return all the time. I've read on Avast! and ESET websites that Java is vulnerable to viruses if the version is at or lower than 7 Update 11 and I dont know what version I am. Anyway, is the KillDisk something you buy in shop/online or just download it and burn on disk? If, I use it, will my Windows boot normally with no data (Documents, D drive, installed stuff, etc.) at all or do I have to install Windows again?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users